How Far Must You See to Hear Reliably[Extended Abstract]

Pranav K Vasishta∗

vasishta@research.iiit.ac.in

Anuj Gupta∗

anujgupta@research.iiit.ac.in

Prasant Gopal†

prasant@csail.mit.edu

Piyush Bansal∗

piyush bansal@research.iiit.ac.in

Rishabh Mukherjee∗

rishabh m@research.iiit.ac.in

Poornima M∗

mpoornima@research.iiit.ac.in

Kannan Srinathan∗

srinathan@iiit.ac.in

Kishore Kothapalli∗

kkishore@iiit.ac.in

Abstract

We consider the problem of probabilistic reliable communication (PRC) over synchronousnetworks modeled as directed graphs in the presence of a Byzantine adversary when players’knowledge of the network topology is not complete. We show that possibility of PRC is ex-tremely sensitive to the changes in players’ knowledge of the topology. This is in completecontrast with earlier known results on the possibility of perfectly reliable communication overundirected graphs where the case of each player knowing only its neighbours gives the sameresult as the case where players have complete knowledge of the network. Specifically, in eithercase, (2t + 1)-vertex connectivity is necessary and sufficient, where t is the number of nodesthat can be corrupted by the adversary [DDWY93, SKR+05]. We introduce a novel model forquantifying players’ knowledge of network topology, denoted by TK. Given a directed graph G,influenced by a Byzantine adversary that can corrupt up to any t players, we give a necessaryand sufficient condition for possibility of PRC over G for any arbitrary topology knowledge TK.It follows from our main characterization theorem that knowledge of up to d = bn−2t

3 c+1 levelsis sufficient for the solvability of honest player to honest player communication over any networkover which PRC is possible when each player has complete knowledge of the topology. We alsoshow the existence of networks where PRC is possible when players have complete topologyknowledge but it is not possible when the players do not have knowledge of up to d = bn−2t

3 c+1levels.

Keywords: reliable communication, topology knowledge, synchronous networks, directed graphs,Byzantine adversary

∗Center for Security, Theory and Algorithmic Research(CSTAR), International Institute of Information Technol-ogy, Hyderabad, 500032, India.†Computer Science and Artificial Intelligence Laboratory(CSAIL), Massachusetts Institute of Technology, Cam-

bridge, MA 02139, USA.

1

1 Introduction

Reliable Communication is one of the fundamental problems and one among the keenly studiedproblems of distributed computing. The problem of reliably communicating between a Sender Sand a receiver R over a network N in the presence of an adversary that can corrupt up to t players(denoted by a t-adversary) and make them behave arbitrarily is of great relevance in almost allpractical circumstances. In general, while studying the problem of reliable communication, one as-sumes knowledge of complete topology for each player. We consider the problem of communicatingreliably (with negligible error) between S and R in the presence of a t-adversary over synchronousdirected networks when players possess only partial knowledge of the topology.

Reliable transmission of messages between two honest (not corrupted by t-adversary) players isof utmost importance because several distributed computing problems will be rendered unsolvablein the absence of reliable transmission between honest players. We focus on probabilistic reliablecommunication (PRC) between two honest players and give the necessary and sufficient conditionsfor the possibility of PRC over a synchronous directed network for any arbitrary topology knowl-edge. By PRC, we mean, PRC in synchronous networks (modelled as a directed graph) in thepresence of a Byzantine adversary. In the problem of PRC over a synchronous network N = (P, E)where P is the set of vertices and E denotes the set of arcs/edges in the network, the sender S∈ P wishes to send a message m to the receiver R ∈ P in a robust manner such that the mes-sage is correctly received by R with a very high probability, in spite of the presence of up to tByzantine-faulty nodes in N .

Generally knowledge of the topology is mentioned as players having knowledge of their neigh-bors, or their neighbors’ neighbors, that is up to a level d. We consider knowledge of up to level 1as knowledge of both in-neighbours and out-neighbours of the corresponding players.

In this paper, we refer to the notion of knowledge possessed by a node about the graph G byTopology Knowledge T K at that node, which we define as a collection of possible graphs withone of them being the actual graph. One can easily note that the notion of T K is relevant onlyin the presence of a suitable adversary. In the absence of a suitable adversary, each node canlet the rest of the players (of course only as far as the connectivity permits!) know its view ofthe network in order to end up with a global common picture of the topology for each of theconnected components respectively. Consequently, while the distributed complexity may increase,the distributed computability is unaffected. However, in the presence of the adversary, any amountof communication would entail only an (adversary controlled) approximation of the actual topology,thereby perhaps affecting even the distributed computability. Intuitively though, the adversary canat best completely hide the edges between two faulty players and if lucky, succeed in partially hidingeven the edges with one faulty end-node. However, useful messages are seldom transmitted via theaforementioned edges. This gives a feeling that distributed computability may not be affected —in fact, for the case of perfectly reliable communication it has been proved that the knowledge ofone’s neighbors alone is as sufficient as the knowledge of the global topology; specifically, (2t+ 1)-connectivity is necessary and sufficient irrespective of T K, where up to t players are Byzantine faulty(t-adversary)[SKR+05]. Counter-intuitively, for the case of probabilistic reliable communication,we show that the optimal fault-tolerance heavily depends on T K.

In [VGG+09], Pranav et al. show that knowledge of partial topology knowledge affects thepossibility of PRC by giving a specific example. In this paper, we give the complete characterizationfor the possibility of PRC over any given network modeled as directed graphs under the influence ofa (static) t-Byzantine adversary when the players have arbitrary topology knowledge T K. We useour definition T K which is set, to arrive at the characterization. To appreciate the consequencesof our results, we also arrive at a distance measure, that R must see up to d = bn−2t

3 c + 1 levels

2

in order to ensure the possibility of PRC protocol over those networks for which PRC is possiblegiven complete topology knowledge. That is to say, PRC between any two honest players over anynetwork is possible if the receiver amongst the players’ sees distance d = bn−2t

3 c+ 1 levels providedPRC were solvable in the case where players have complete knowledge of the topology.Related Work: The problem of perfectly reliable communication tolerating a t-adversary overundirected graphs is introduced by Dolev et al. [DDWY93]. PRC over undirected graphs was intro-duced by Franklin and Wright [FW98, FW00]. Desmedt and Wang [DW02] were the first to studythe problem of reliable communication over directed networks. (2t+1)-connectivity between S andR is necessary and sufficient for all the problems given in the prequel. Shankar et al. [SGSR08]show that the results for the case of possibility of PRC in directed graphs are markedly differentfrom the earlier results, which appear consistent. This difference is because their results show thatconnectivity requirements on the graph for the possibility of PRC over directed graphs as being thereceiver R-specific (See Necessity proof of Theorem 4.1). However, they study PRC for the casewhere every player has complete knowledge of the topology. In this sequence of study, we studythe problem of PRC in directed graphs for partial knowledge of the topology. The line of studythat we take originated in the paper by Srinathan and Pandurangan in [SR06], where the authorsshow the conditions for the possibility of PRC over directed graphs for a non-threshold adversary.

Contributions: Our Contributions through this paper are manifold: (1) We completely charac-terize the problem of PRC between S and R over arbitrary synchronous directed networks in thepresence of a t-adversary, when each player has partial knowledge of the topology. (See Theorem 4.1)(2) It follows from our main characterization theorem that knowledge of up to d = bn−2t

3 c+1 levelsis sufficient for the solvability of honest player to honest player communication over any networkover which PRC is possible when each player has complete knowledge of the topology. (See Corol-lary 4.1.1) (3) We also show the existence of networks where PRC is possible when players havecomplete topology knowledge but it is not possible when the players do not have knowledge of upto d = bn−2t

3 c+1 levels. (See Corollary 4.1.2) (4) We give a strong definition of topology knowledgefrom which it is possible to extract information as to whether the players’ have a knowledge of up tok levels. (See Definition 1). (5) Arriving at our main characterization require us to take a detour inbuilding tools which enable us to handle arbitrary topology knowledge. These tools make extensiveutilization of our Definition for Topolology Knowledge (See Definition 2). The tools in themselvesare for distributed computing problems with certain properties (See Table 1) and PRC satisfies therelevant conditions. We give them as Bridge Theorems, Theorem 3.1 and Theorem B.1.

Our focus in this paper is on finding the possibility of PRC protocols, and we do not focus onthe complexity of the protocols. Our constructions to prove the possibility of PRC protocols lead usto protocols with super-polynomial complexity. We remark that finding polynomial-time solutionsfor the problem is quite challenging and we do not rule out the possibility of an exponential lowerbound.

2 Model and DefinitionsThe network is modeled as a directed graph N = (P, E) where P is the set of vertices and E denotesthe set of arcs/edges in the directed graph. We model the nodes/players (as well as the adversary)as interactive Turing machines with unbounded computing power. The system is assumed to besynchronous, that is, the protocol is executed in a sequence of rounds wherein in each round, a playercan perform some local computation, send new messages to his out-neighbors, receive the messagessent in that round by his in-neighbors (and if necessary perform some more local computation), inthat order. In the graph, we assume that the channels are secure. In other words, if (u, v) ∈ E

3

then the player u can securely send a message to player v in one round. During the execution, theadversary may corrupt up to any t players. We work with a (static) Byzantine adversary that maycompletely control up to t players (denoted by t-adversary) and make them behave in arbitraryfashion. Every honest player that receives a message from its in-neighbor knows the sender as itcan identify the channel along which the message is received. All messages to be transmitted arechosen from a finite field F.

2.1 DefinitionsDefinition 1 (Topology Knowledge of player i (T Ki)) In a given network N = (P, E), wedefine Topology Knowledge of player i T Ki as the knowledge possessed by player i about the networkN . It is represented by a set of graphs,i.e. T Ki = {Giki}, with a condition that one of the graphs

from the set T Ki is the actual graph N where 1 ≤ ki < 2|P|2

, that is, 1 ≤ |T Ki| < 2|P|2

.

Notice that when you define topology knowledge of a player this way, the player is in possessionof adjacency matrices of each of the graphs, of which one of them is actual graph. So, if for anyplayer j (j could be i also), the entries of rows (out-edges) and columns (in-edges) are the sameacross all the matrices, then we say that player i has knowledge of up to level 1 with respect to theplayers j. If for every player j, the entries for rows and columns are the same across all adjacencymatrices, then it is as good as knowing the complete topology.

Definition 2 (Topology Knowledge T K) We define the notion Topology Knowledge T K as thecollection of all the individual T Ki’s (for all the players in P). Specifically, T K = {T Ki|i ∈ P}.

Definition 3 (k-sized T Ki and k-sized T K) A k-sized T Ki is defined as T Ki where |T Ki| = k.If there exists an integer k such that every T Ki in the collection T K is `-sized for some ` ≤ k, thenthe topology knowledge T K is defined as a k-sized T K.

At the outset, we assume each player i knows the following: (1) Set of vertices in N , i.e,P (2)Topology Knowledge of player i, T Ki. We also assume the worst-case scenario where the adversaryknows all the T Ki’s for i ∈ P as well as is aware of the actual graph G.

Note 1 When each of the graphs is written in G = (V,E) form, we note that Gik = (P, E iki), andonly the edge-set keeps changing across the graphs for each of the players. Therefore, we can replaceevery graph Giki in the set T Ki with the set of its edge-sets {E iki} for each player i to make mattersmore convenient. We will be using T Ki synonymously with {E iki} from now on.

3 Bridge Theorems

As per the Definition 2, T K can be a set containing varying topology knowledge edge sets for eachplayer, thereby indicating that the extent of knowledge possessed by each player is different. Thisis how arbitrary it can get. Working with this arbitrariness could bewilder more than clarify whatcan be done with. But the use of set theoretic notation for T K has its own advantages which canbe seen from the two theorems in this section. These theorems act as the bridge theorems for ourmain characterization theorem, Theorem 4.1.

In this section, we give a theorem in which we show that those problems π that satisfy certainconditions have a property that, over a network N working with an N-sized T K is equivalent toworking with (several) 2-sized T K with respect to the solvability of π. This equivalence works onlyfor those problems that satisfy the conditions in the Table 1 (See Appendix A).These conditions

4

are a prerequisite for the correctness of majority voting which we employ to show the equivalence.Majority voting is applied to the outputs obtained on solving π for various different-sized T Ks.

We begin by giving followed by a definition which we use in our proof for the first bridge theoremin our attempt to solve for the possibility of PRC in the setting that we work.

3.1 Bridge Theorem 1: N-sized T K to 2-sized T K

We begin with the following definition.Definition 4 Given a graph G = (P, E) with N-sized T K = {T KP1 , T KP2 , . . . , T KP|P|}, N > 2,where each T KPi = {EPi1 , EPi2 , . . . , EPik }, k ≤ N , and a 2-sized topology knowledgeZ = {ZP1 ,ZP2 , . . . ,ZP|P|} with each ZPi = {APi0 , A

Pi1 }, 1 ≤ i ≤ |P|, such that one of the APij ’s is

exactly the edge-set E (the edge-set of G) while the other is an edge-set (different from E) that ispresent in T KPi. In other words, there exists a j ∈ {0, 1} such that E = APij and APi

j∈ T KPi for

every player Pi, we say that Z is derived from T K.

Note that an N-sized T K can have up to (N−1)|P| distinct 2-sized topology knowledge sets derivedfrom it.Theorem 3.1 A protocol Π that solves a problem π, satisfying either IO Condition and InputHonesty Condition or IO Condition and Output Agreement Condition in Table 1, over a networkN with N -sized T K (N > 2) influenced by an adversary A exists if and only if, for each of the2-sized topology knowledge Zj (1 ≤ j ≤ (N − 1)|P|), that can be derived from T K, there exists aprotocol solving π with topology knowledge Zj.

Proof: Necessity: We need to prove that if π cannot be solved with one of the 2-sized topologyknowledge sets Zj derived from T K then π cannot be solved with T K. The proof follows from theDefinition 3. Notice that, all valid 2-sized topology knowledge sets derived from T K are included,by definition, in an N -sized topology knowledge set. That is, Zj is also an N -sized topologyknowledge set. If a problem π cannot be solved with Zj derived from T K in the presence of anadversary A, then the strategy of the adversary is to change the topology knowledge from T K toZj by suitably communicating to the nodes the information needed to eliminate the edge-sets atwhich topology knowledge of each player in T K differs from the corresponding topology knowledgein Zj . This naturally means that π cannot be solved with T K.Sufficiency: We need to prove the statement: If there exists a protocol Πj that can solve the problemπ for the jth 2-sized topology knowledge Zj (1 ≤ j ≤ (N−1)|P|) derived from T K, then there existsa protocol Π that can solve π with topology knowledge T K. We give a proof by induction on thesize of T KPi of player Pi (1 ≤ i ≤ |P|).Base Case: In this case, N = 3. That means T KPi is a 3-sized set. Let T KPi = {EPi1 , EPi2 , EPi3 },1 ≤ i ≤ |P|. We can partition T KPi into 3 sets, each of which is of size less than 3 such that everyelement in T KPi occurs in two of the three sets. Since any one of the three elements of T KPi couldbe the actual edge-set, two of the following three sets will be the 2-sized topology knowledge setsderived from T KPi : Z

PiA = {EPi1 , EPi2 }, Z

PiB = {EPi1 , EPi3 }, Z

PiC = {EPi2 , EPi3 }.

A jth 2-sized topology knowledge Zj (1 ≤ j ≤ (N − 1)|P|) is a collection of the 2-sized topologyknowledge sets of all players Pi. In Zj , for player Pi, the 2-sized topology knowledge is one of ZPiA ,

ZPiB , ZPiC and is denoted by ZPijαi , where αi ∈ {A,B,C}. Therefore, Zj = {ZP1jα1 ,Z

P2jα2 , . . .Z

P|P|jα|P| }.

We assume that there exists a protocol Πj that can solve the problem π for the jth 2-sizedtopology knowledge Zj . This Πj can be considered to be a collection of protocols of each individualplayer Pi. For each player Pi, let there be protocols ΠPi

A defined over ZPiA , ΠPiB defined over ZPiB ,

ΠPiC defined over ZPiC , such that each of the protocols is defined under the assumption that the

2-sized topology knowledge set over which it is defined is a valid 2-sized topology knowledge set

5

(those sets in which one of the edge-set is the actual edge-set), and the collection of all validprotocols for each player defined over valid 2-sized topology knowledge set solves the problem π.Any collection of valid protocols defined over a valid 2-sized topology knowledge set (those sets inwhich one of the edge-set is the actual edge-set) of each individual player forms a protocol like Πj .Corresponding to the respective 2-sized topology knowledge for each player Pi in Zj , one couldwrite Πj = {ΠP1j

α1 ,ΠP2jα2 , . . .Π

P|P|jα|P| } for αi ∈ {A,B,C}. The subscript j is used to indicate that the

jth protocol Πj is running over the jth valid 2-size topology knowledge Zj .Let (αiβ, αiγ) ∈ {(A,B), (B,C), (C,A)} indicate the pair of valid 2-sized topology knowledge

sets ZPiαiβ ,ZPiαiγ for a player Pi. For these two sets, a protocol for Pi is part of the collection ofprotocols Πβ and Πγ over two 2-sized topology knowledge sets Zβ and Zγ . Therefore, protocolslike ΠPi

A , ΠPiB , ΠPi

C exist.Recall that the problem π satisfies IO Condition and Input Honesty Condition or IO

Condition and Output Agreement Condition in Table 1. IO Condition and Input HonestyCondition together imply that there is a unique output for a given input for the problem π. IOCondition and Output Agreement Condition force the inputs to be consistent so as to make theoutputs same.

Notice that using the three protocols, ΠPiA , ΠPi

B and ΠPiC , problem π can be solved even if

the player Pi is not aware of the actual topology. Let there be three protocols Πβ, Πγ , Πδ wherein each of them, the protocol for Pi is ΠPi

αiβ, ΠPi

αiγ and ΠPiκ where κ ∈ {{A,B,C} \ {αiβ, αiγ}}

respectively. Specifically, all the players run all the three protocols Πβ,Πγ and Πδ and obtain threeoutputs O1, O2 and O3 respectively. Note that the actual graph is part of all the individual players’topology knowledge in at least two of the three cases. That is, actual graph is the input to at leasttwo of the three protocols. Thus, at least two of the three outputs must be same and equal tothe output that a protocol solving π would produce. Thus, in a similar manner, every player cantake the majority of the three outputs and thereby solve π. Thus, a protocol for π with topologyknowledge T K exists if and only if a protocol for solving π exists with each of the two valid topologyknowledge sets (i.e. those that contain the actual edge-set) among ZPiA , ZPiB , ZPiC . Thus, we cansay that if some protocol solves a problem for each of its 2-sized T Ks derived from 3-sized T K,then Π solves the problem with 3-sized T K.

Induction Hypothesis: Let us suppose that the statement is true for up to any m-sized T K. Thatis to say, If π is solvable for each of its 2-sized T Ks derived from the m-sized T K, then π can besolved with topology knowledge T K.

Induction: Let T Ki be m + 1-sized T Ki. Since m + 1 > 3, we can partition T Ki of every playerPi into 3 sets, say X,Y, Z each of which is of size less than m + 1 such that every element inT Ki occurs in two among X,Y and Z. Therefore two of X,Y and Z make a valid m-sized T K.From our induction hypothesis, we know that π can be solved with an m-sized topology knowledgeM if it can be solved for each of the 2-sized topology knowledge sets derived from M . In theproof for the Base Case condition, we replace 2-sized topology knowledge with m-sized topologyknowledge set, and the set {A,B,C} with {X,Y, Z} and (αiβ, αiγ) ∈ {(A,B), (B,C), (C,A)} with(αiβ, αiγ) ∈ {(X,Y ), (Y,Z), (Z,X)}. We proceed along the same lines as in the proof for BaseCase. This way, we can show how a protocol that solves π for each of the m-sized T K derived fromm + 1-sized T K can solve π for m + 1-sized T K. Thus, the statement is true for an m + 1-sizedT K.Therefore, by induction, it is true ∀m ∈ N.

6

3.2 Arbitrary to Uniform T K

From the prequel, it is enough to characterise the possibility of PRC for a 2-sized T K. For a set ofplayers P, a 2-sized T K = {T K1, T K2, . . . , T K|P|}, where each T Ki = {E i0, E i1}, ∀i ∈ P. Notice thateach player can have a different T Ki, and working with varying T Kis can become cumbersome. Inour characterization, we avoid working directly with 2-sized T K for this reason. In this section, weshow that for any problem π, working with a 2-sized T K can be brought down to working with amodified T K, say, T K′ which is formed by the intersection of each of the T Kis in 2-sized T K and aset denoted by 2-sized T KG which in all respects has the properties of a 2-sized T Ki and is knownglobally to all the players. There are 2|P|

2

possibilities for 2-sized T KG. We show that solving πusing a 2-sized T K is possible if and only if π can be solved for all the 2|P|

2

possibilities for T K′.Following this, we give a necessary and sufficient condition for the possibility of PRC given T K′.Owing to space constraints, we are moving this to Appendix B

Given that we have these Bridge Theorems: Theorem 3.1 and Theorem B.1 and since theproblem of PRC satisfies the conditions under which the theorems are true, the task of solvingPRC can now be taken up on the 2-sized uniform T K. Following this, we construct back theconditions for PRC for the case of an N-sized T K by following the path taken to reduction in thereverse direction.

4 Main Characterization Theorem for PRC

We begin with a few definitions and lemmas. Our proofs use rigorous path analysis of paths betweenthe sender S and the receiver R.

Definition 5 (Strong Path) A sequence of vertices v1, v2, v3, . . . , vk is said to be a strong pathfrom v1 to vk in the network N = (P, E) if for each 1 ≤ i < k, (vi, vi+1) ∈ E. Furthermore, weassume that there vacuously exists a strong path from a node to itself.

Definition 6 (t-(S,R,)-strong-connectivity) A digraph is said to be t-(S,R)-strong-connectedif the graph is such that there exists at least t vertex disjoint strong paths from S to R.

Definition 7 (Semi-Strong Path) A sequence of vertices v1, v2, v3, . . . , vk is said to be a semi-strong path from v1 to vk in the network N = (P, E) if there exists a 1 ≤ j ≤ k such that thesequence vj to v1 as well as vj to vk both are strong paths in the network. We call the vertex vj asthe head of the semi-strong path.

Definition 8 (Weak Path) A sequence of vertices v1, v2, v3, . . . , vk is said to be a weak path fromv1 to vk in the network N = (P, E) if for each 1 ≤ i < k, either (vi, vi+1) ∈ E or (vi+1, vi) ∈ E .Furthermore, we assume that there vacuously exists a weak path from a node to itself.

Definition 9 (PRC Protocol) Let N = (P, E) be a network, with topology knowledge T K, underthe influence of a Byzantine adversary that may corrupt up to any t players. We say that aprotocol for transmitting a message from S to R is (t, δ)-reliable if for any valid adversary strategy,the probability that R outputs m given that S has sent m, is at least δ where the probability is overthe random inputs of all the players and random inputs of the adversary.

Whenever we refer to a PRC Protocol in the rest of the paper, it is assumed to be (t, δ)-reliable.

7

Definition 11 (Critical Combination) Given the following: A network N = (P, E), where P is theset of players, and E, the set of edges between the players in P. Two players identified as S (denotingsender) and R (denoting receiver) such that {S,R} ∈ P. Two t-sized sets - B1 and B2, such thatB1 ⊂ P, B2 ⊂ P in the network N . A 2-sized T KG = {E0, E1} for the network N . A 2-sized T Kfor the network N . A set X of players, X = {i|T K′i = N and i ∈ (P \ B1 ∪ B2 ∪ R-group)}; LetC = (P \B1 ∪B2 ∪ R-group); X is a set of players in C which know the actual graph N after knowingT KG. X ∩ R-group = ∅. A set Z ⊂ C of players that are part of all weak paths from S to R andthose players that have a semi-strong path from itself to R.Network N is said to be in a Critical Combination if any of the following hold:

• Either B1 or B2 cut across all strong paths between S and Rs.

• B1 ∪B2 cut across all weak paths between S and R.

• ∃W such that every weak path p that avoids both B1 and B2 between S and R has a node, say w,that has both its adjacent edges (along p) directed inwards and w ∈W and the following hold:

– Both B1 and B2 are vertex cut-sets between w and R. In other words, every strong pathfrom w to R passes through both B1 and B2.

– For α ∈ {0, 1}, B1 is a vertex cut-set between all nodes in (W ∪ (Z ∩ X)) and R in theedge-set Eα ∈ T KG and B2 is a vertex cut-set between all nodes in (W ∪ (Z ∩X)) and Rin the edge-set Eα ∈ T KG.

Definition 10 ((Player p)-Group) (Player p)-group is defined with respect to two t-sized subsetsof P, say B1 and B2. A p-group in graph G is the set of all players q (including p) such that q hasa strong path from it to p not passing through any node in (B1 ∪ B2). It also contains any playerw that can reliably communicate even though the path from it to R passes through B1 or B2.

Note 2 Following Definition 11, network N can be divided into four components for a given twot-sized sets, B1 and B2 as follows: R-group, B1, B2 and the rest of the players together as one,say C = P \ (B1 ∪ B2∪ R-group). Since the sender S and the receiver R are honest, we considerthe case when S ∈ C. The only other possibility is S ∈ R-group, in which case the protocol forPRC is obvious. R-group has no knowledge of the actual graph N , and each player in R-group hasthe same topology knowledge as that of the globally declared 2-sized T KG, made of two edge-sets{E0, E1}. Set X ⊂ C. Set Z ⊂ C. Players in P \ (X∪ R-group) all have the same topologyknowledge {E0, E1}.

Theorem 4.1 (Main Theorem) For δ > 12 , a (t,δ)-reliable PRC protocol between S and R

in the network N = (P, E) with a 2-sized T K tolerating a t-adversary exists if and only if forevery B1, B2 of size at most t, such that B1 ∈ P, B2 ∈ P in the network, Critical Combination[Definition 11] does not occur in N .

Proof. Necessity: For Necessity,we must show that a network N that is in Critical Combinationguarantees that no PRC protocol from S to R exists in N . We now take each of the conditionsdescribed for a network to be in Critical Combination (Definition 11) and show that no PRCprotocol can exist between S and R when the condition is true.

Note that if the T K′i of all the players, following the inputs given in the Definition 11, is asingleton set, that is all the players have identified the actual graph N of the network, then the

8

requirement for the PRC protocol is, as per the conditions in [SGSR08]. The results in [SGSR08]have a strong receiver R-specificity. With our results we gain a better insight into this R-specificity.In fact, we show that the knowledge of the actual graph or the absence of it for the receiver R isthe key for the existence or non-existence of the PRC protocol. The following four lemmas shallcapture the requirement of our necessity proof.

Lemma 4.1.1 Following Definition 11, if either B1 or B2 cut across all strong paths between Sand R in N , then a PRC protocol between S and R does not exist.

Proof: It is obvious to see that in this case, an adversary that can corrupt up to any t players cancorrupt the set B1 or B2 that cuts across all strong paths between S and R, and thereby disconnectthe two in which case no PRC protocol can ever exist.

Lemma 4.1.2 Following Definition 11,if B1 ∪B2 cut across all weak paths between S and R, thena (t,δ)-reliable PRC protocol (δ > 1

2) between S and R does not exist.

Lemma 4.1.3 Following Definition 11, if ∃W such that every weak path p that avoids both B1 andB2 between S and R has a node, say w, that has both its adjacent edges (along p) directed inwardsand w ∈W and both B1 and B2 are vertex cut-sets between w and R, then a PRC protocol betweenS and R does not exist. In other words,if every strong path from w to R passes through both B1

and B2, then a (t,δ)-reliable PRC protocol (δ > 12) between S and R does not exist.

Proofs of Lemmas 4.1.2 and 4.1.3 are given in Appendix B.

Lemma 4.1.4 Following Definition 11, if ∃W such that every weak path p that avoids both B1 andB2 between S and R has a node, say w, that has both its adjacent edges (along p) directed inwardsand w ∈W and for α ∈ {0, 1}, B1 is a vertex cut-set between all nodes in (W ∪ (Z ∩X)) and R inthe edge-set Eα ∈ T KG and B2 is a vertex cut-set between all nodes in (W ∪ (Z ∩X)) and R in theedge-set Eα ∈ T KG. then a (t,δ)-reliable PRC protocol (δ > 1

2) between S and R does not exist.

Proof Outline: The proof of this lemma gives the topology knowledge effect on the possibility of(t,δ)-reliable PRC protocol for a given network modeled as a directed graph. The proof is bycontradiction.

Assume that a protocol Π solves PRC (with error probability less than 12) from S to R in the

edge-set E0 tolerating t-adversary. If one considers Π as a collection of programs to be run by eachof the players in the graph G, then define another protocol Π′ such that in Π′, the players S, R,and players in R-group run the same programs as they run in the protocol Π, the players in sets B1

and B2 swap the programs that they run in Π, and the players in the set (W ∪ (Z ∩X)) runs theprogram in Π with one change: wherever it is to send its message to B1 in Π, it sends its messageto B2 in Π′. This protocol Π′ is clearly a protocol to solve PRC from S to R in the edge-set E1

tolerating t-adversary.Consider two executions F1 of Π in the edge-set E0 and F2 of Π′ in edge-set E1. In both

executions the vertices in R-group hold the random inputs {ρu|u ∈ R-group }. In the executionFα ∈ {F1, F2}, the Byzantine set Bα is corrupt and the message mα is transmitted by S, the ran-dom inputs of the vertices in (C ∪Bα)1 are {ρu|u ∈ (C ∪Bα)}. The behavior of the Byzantine setBα in the execution Fα is to send no message whatsoever to C∪Bα and to send to R-group exactlythe same messages that are sent to R-group by the honest Bα in the execution Fα. In order for theByzantine set Bα to behave as specified in the execution Fα, the adversary needs to simulate the

1We denote 1 = 2 and vice-versa;

9

behavior of (C ∪Bα) in the execution Eα. To achieve this task,the adversary simulates round-by-round the behavior of the vertices in (C ∪Bα) for the execution Fα using {ρu|u ∈ (C ∪Bα)} as therandom inputs for the vertices in (C ∪Bα). At the beginning of each round, each simulated playerhas a history of messages that it got in the simulation of the previous rounds and its simulated localrandom input. The simulated player sends during the simulation the same messages that the honestplayer would send in the original protocol in the same state. The simulated messages that (playersin) Bα sends to R are really sent by the players. All other messages are used only to update thehistory for the next round. The messages which are added to the history of each simulated vertexare the real messages that are sent by players in R-group and the simulated messages that are sentby the vertices in (C ∪ Bα). No messages from Bα are added to history. The history of messagesof each simulated vertex in execution Fα is the same as the history of the vertex in execution Fα.Therefore, the messages sent by B1 and B2 to members of R-group in both executions are exactlythe same and the members of R-group and in particular the receiver R receive and send the samemessages in both executions. Thus, the receiver R cannot distinguish whether the set B1 is corruptand the message transmitted by S is m1 or the set B2 is corrupt and the message transmitted byS is m2. Now, consider all the pairs of executions where the random inputs range over all possiblevalues. In each pair of executions, whenever R accepts the correct message in one execution itcommits an error in the other. Thus, for any strategy by R for choosing whether to receive m1 orm2 there is some α such that when mα is transmitted, the receiver accepts mα with probability atmost 1

2 .This completes the necessity part of the proof for Theorem 4.1.

Proof. Sufficiency: For Sufficiency, Network N that is not in Critical Combination guarantees theexistence of a PRC protocol from S to R in N . So, we prove by giving a protocol and its proof ofcorrectness. Owing to space constraints, we move the discussion of the protocol to Appendix C.

4.1 Corollaries

S

W

R

x

B2

B1

n1

n2

n3

n4

x1

l

M

k

k

Figure 1: Network N

S

W

R

x

B2

B1

n1

n2

n3

n4

x1

l

M

k

k

Figure 2: Network N ′

Corollary 4.1.1 There exist networks over which, a PRC protocol between a Sender S and theReceiver R in the network tolerating a t-adversary exists, if every player in the network has completeknowledge of the topology but does not exist if in the network, each player does not have knowledgeof up to dmin-levels (hops) (both for in-edges as well as out-edges) where dmin = bn−2t

3 c+ 1, wheren is the total number of players in the network.

Proof: We give a proof by construction. The Figure 3 represents the state of a network N similarto what is given in Note 2. The network N is constructed such that it satisfies the conditions for

10

the possibility of PRC tolerating a t-adversary when each player has complete knowledge of thetopology. Let there be n nodes in the network. The number of nodes in the path between W andM is l. Notice that the sets B1 and B2 cut across all strong paths between S and R. There arek nodes in the path connecting M to a node in B1 and k nodes in a path from M to B2 which isdisconnected at node X1. Sets B1 and B2 are sets of t nodes each, of which the adversary corruptson of them. Both B1 and B2 are such that they contain nodes of the kind n1, n3 that form partof disjoint weak paths from S to R. They also contains nodes of the kind n2, n4 that form part ofdisjoint strong paths from S to R, totalling t+ 1. There is a weak path between S and R passingthrough W . Notice that, in the network, R knows W , n1, n2, n3, n4 with knowledge of up to asingle hop. S knows W ,n1,n2,n3,n4 with a knowledge of up to a single hop. That is there are nonodes in between the paths from S and R to these nodes. Clearly, for this network, PRC protocolexists in the presence of a complete topology knowledge, because the underlying undirected graphis (2t + 1)-S,R connected and it has (t + 1)-strong paths for any number of nodes l in the pathbetween W and M .

Let l >= k − 1 for the network. Clearly, for this network if we count the number of nodes andequate it to n, we get: n = 4 + 2k + l + 2t, which, when you take for the minimum value of l,n = 2t+ 3k + 3.

In such a network N , notice that the adversary can thwart the possibility of PRC in theabsence of knowledge of dmin levels, because, for knowledge of up to dmin − 1 hops, it can ensureindistinguishable views for the receiver over two executions, Ea and Eb by constructing anothernetwork similar to that of N - N ′ (see Figure 4). The adversarial strategy is exactly as describedin the proof of Lemma 4.1.4, and it is as good as saying that T KR contains both N and N ′. In theconstruction, it is only when each player has knowledge of up to dmin levels that R distinguishesbetween N and N ′.

Corollary 4.1.2 For any network, existence of a PRC protocol between S and R in the networktolerating a t-adversary when each player has complete knowledge of the topology implies existenceof a PRC protocol between S and R in the network tolerating a t-adversary when each playerhas knowledge of up to dmin-levels (hops) (both for in-edges as well as out-edges) where dmin =bn−2t

3 c+ 1, where n is the total number of players in the network.

Proof: Proof for the Corollary 4.1.2 is given in Appendix E.

5 Conclusion

We have provided a complete characterization for the problem of Probabilistic Reliable Communi-cation given topology knowledge as a parameter. The significance of our results can be understoodfrom the following implications: (a) Generalization: Our results are a strict generalization of theexisting results for probabilistic reliable communication [SGSR08]; (b) The “Randomization-effect”:It is well known that for perfectly reliable communication, fault-tolerance is independent of nodes’knowledge of the network topology [SKR+05]; we show that in the case of probabilistic reliable com-munication, fault-tolerance is extremely sensitive to changes in the knowledge of network topology.c) Optimization: Our results may be used to answer the question: what is the optimal fault-tolerancethat is achievable in reliable communication for a specified T K and vice-versa.

11

References

[DDWY93] D. Dolev, C. Dwork, O. Waarts, and M. Yung. Perfectly Secure Message Transmission.Journal of the Association for Computing Machinery (JACM), 40(1):17–47, January1993.

[DW02] Y. Desmedt and Y. Wang. Perfectly Secure Message Transmission Revisited. In Pro-ceedings of Advances in Cryptology EUROCRYPT ’02, volume 2332 of Lecture Notesin Computer Science (LNCS), pages 502–517. Springer-Verlag, 2002.

[FMS03] Paola Flocchini, Bernard Mans, and Nicola Santoro. Sense of direction in distributedcomputing. Theor. Comput. Sci., 291(1), 2003.

[FRS99] Paola Flocchini, Alessandro Roncato, and Nicola Santoro. Backward consistency andsense of direction in advanced distributed systems. In PODC ’99: Proceedings of theeighteenth annual ACM symposium on Principles of distributed computing. ACM, 1999.

[FW98] M. Franklin and R. N. Wright. Secure Communication in Minimal Connectivity Models.In Proceedings of Advances in Cryptology EUROCRYPT ’98, volume 1403 of LectureNotes in Computer Science (LNCS), pages 346–360. Springer-Verlag, 1998.

[FW00] M. Franklin and R.N. Wright. Secure Communication in Minimal Connectivity Models.Journal of Cryptology, 13(1):9–30, 2000.

[KGSR02] M.V.N.A. Kumar, P. R. Goundan, K. Srinathan, and C. Pandu Rangan. On perfectlysecure communication over arbitrary networks. In Proceedings of the 21st Symposiumon Principles of Distributed Computing (PODC), pages 193–202, Monterey, California,USA, July 2002. ACM Press.

[SGSR08] Bhavani Shankar, Prasant Gopal, Kannan Srinathan, and C. Pandu Rangan. Uncondi-tionally reliable message transmission in directed networks. In SODA ’08: Proceedingsof the nineteenth annual ACM-SIAM symposium on Discrete algorithms, pages 1048–1055, 2008.

[SKR+05] Lakshminarayanan Subramanian, Randy H. Katz, Volker Roth, Scott Shenker, andIon Stoica. Reliable broadcast in unknown fixed-identity networks. In PODC ’05:Proceedings of the twenty-fourth annual ACM symposium on Principles of distributedcomputing, New York, NY, USA, 2005. ACM.

[SR06] Kannan Srinathan and C. Pandu Rangan. Possibility and complexity of probabilisticreliable communications in directed networks. In Proceedings of 25th ACM Symposiumon Principles of Distributed Computing (PODC’06), 2006.

[VGG+09] Pranav K. Vasishta, Prasant Gopal, Anuj Gupta, Piyush Bansal, and Kannan Sri-nathan. Brief announcement:Topology knowledge affects probabilistic reliable commu-nication. In Proceedings of 28th ACM Symposium on Principles of Distributed Com-puting (PODC’09), 2009.

12

A Size Reduction Conditions

The following are the conditions that the problems must satisfy for the equivalence of N-sized T Kto 2-sized T K to work:

The conditions and the corresponding equivalence between solvability of problems with N -sizedT K and the solvability of problems using some k-sized T K. where k <= N , are as follows:• IO Condition: The problem should be such that its Input-Output relation must be a

function, that is, for a given input, there is only a unique output.

• Input Honesty Condition: Is there a requirement for the input givers to be honest?

– If yes, then there is an equivalence that can be shown from N -sized T K to 2-sizedT K.

– If not,Output Agreement Condition: Is there a requirement for agreementamongst the outputs?

∗ If yes, Output Secrecy Condition:Is there a requirement for the secrecy ofoutputs?· If yes, then there is an equivalence that can be shown from N -sized T K tok-sized T K, where k > 2. (This is our conjecture)· If not, then there is an equivalence that can be shown from N -sized T K to

2-sized T K.∗ If not,then the equivalence is dependent on the Input-Output relation. In other

words, it is sensitive to input-output relation and equivalence is not genericallyobtained.

Table 1: Size Reduction Conditions

A.1 Reductions Conditions satisfied by PRC

For the problem of Probabilistic Reliable Communication, the input-output relation is a function.The function is to output a yes/no depending on whether reliable message transmission takes placebetween a sender S and a receiver R or not, where the inputs are a graph that models the network,and the adversary that operates in the network. Since we have not yet given the condition in thepresence of partial topology knowledge, let every player in the network know the complete topology.Shankar et al. in [SGSR08] have given the conditions that are required for the occurrence of PRCbetween S and R, which is the function that operates on this problem. The function gives ananswer yes/no which is unique for the given input. So, PRC satisfies the IO Condition in theReduction Conditions mentioned in Table 1.

One may consider input giver, here S to be honest, or dishonest in PRC. If the input giver isconsidered to be honest, then the Input Honesty Condition is satisfied by PRC.

Even if the input giver is dishonest, since the PRC protocol has only one output from thereceiver, the Output Agreement condition is satisfied. Rather, the IO Condition enforces OutputAgreement condition in the absence of Input Honest condition. For PRC, Output Secrecy is not arequirement. So, it need not satisfy the secrecy requirement.

Thus PRC falls under both the categories that satisfy: (1) IO Condition and Input Honesty (2)IO Condition and Output Agreement.

13

B Bridge Theorem 2 : From 2-sized T K to T K′

We begin with the following definitions before we give the Bridge Theorem 2:

Definition 12 (Global T KG and k-sized T KG) For a given network N = (P, E), a global T KGis defined as a globally published topology information accessible to all the players in the networkN . Its representation and properties are similar to that of T Ki. It is represented as a set of graphs,i.e. T KG = {Gi} with the condition that one of the graphs in T KG is the actual graph N , where1 ≤ |T KG| < 2|P|

2

. If |T KG| = k, then the T KG shall be called k-sized T KG. Similar to Note 1,T KG can be represented using the corresponding edge-sets of the graphs in it.

Definition 13 (T K′i and T K′) Given a network N = (P, E), a T KG and a T K, then we defineT K′i as the updated topology knowledge of player i from knowing T KG. Collection of all such T K′isforms T K′,i.e., T K′ = {T Ki ∩T KG} ∀i ∈ P. Similar to Note 1, T K′ can be represented using thecorresponding edge-sets of the graphs in it.

Theorem B.1 A protocol Π that solves a problem π over a network N with 2-sized T K influencedby an adversary A exists if and only if, for each of the T K′ sets formed from the 2|P|

2

possibilitiesfor the 2-sized T KG, there exists a protocol solving π with T K′.

Proof: Only-If part: This is the easier part. It is evident that the topology knowledge T K′ is higherthan the topology knowledge T K, since every T Ki is a superset of T K′i = T Ki ∩ T KG. Therefore,if a protocol Π works correctly over T K, it would vacuously be a correct protocol over T K′ too.If part: Let there exist protocols for problem π for each of the valid 2-sized T KGs. We now showthat this implies that there exists protocols for π for any valid 3-sized T KG. Specifically, let a3-sized T KG be T = {E1, E2, E3}. Consider the three 2-sized subsets, namely, X1 = {E1, E2},X2 = {E2, E3} and X3 = {E1, E3}. Note that at least two of the above three Xi’s are valid globalT KG’s (that is they contain the actual edge set). Suppose the players execute the protocol forsolving π for each of these two T KGs, their outputs must exactly match since the problem is solvedover the same network with the same inputs! However, the players are unaware of which of the twoXi’s are valid global T KGs. It turns out that this does not matter since the players could executeprotocols for all the three Xi’s and perform a majority voting on the outputs to obtain the correctoutput for problem π for the 3-sized T KG, namely T .

By induction, one can now solve the problem π for any given 4-sized T KG (since any 4-sizedT KG can be split into three subsets of size ≤ 3 such that at least two of them valid and yieldexactly the same output). Continuing further, we find that solving π with any m-sized T KG(where 2 < m ≤ 2|P|

2

) is possible if and only if π is solvable for each of its 2-sized subset T KGs.Notice that the case of m = 2|P|

2

is nothing but the case where T K is exactly equal to T K′. Hencethe theorem.

C Proof of Lemma 4.1.2, Lemma 4.1.3, Lemma 4.1.4

Lemma C.0.1 Following Definition 11,if B1∪B2 cut across all weak paths between S and R, thena PRC protocol between S and R does not exist.

Note 2 gives us the glimpse of the state of the network N following Definition 11.

It is evident from the definition of R-group that there do not exist vertices u ∈ C and v ∈ R-group,such that the edge (u, v) is in N . When B1 ∪B2 cut across all weak paths between S and R, there

14

do not exist vertices u ∈ C and v ∈ R-group, such that the edge (v, u) is in N .

We prove the impossibility even for the best case where every other edge (other than those betweenC and R-group) exists and when every player knows the actual graph.

Define two executions E1 and E2 as follows. In both executions the vertices in R-group hold therandom inputs {ρu|u ∈ R-group }. In the execution Eα ∈ {E1,E2}, the Byzantine set Bα iscorrupt and the message mα is transmitted by S, the random inputs of the vertices in (C ∪ Bα)2

are {ρu|u ∈ (C ∪Bα)}. The behavior of the Byzantine setBα in the execution Eα is to send no message whatsoever to C ∪ Bα and to send to R-group

exactly the same messages that are sent to R-group by the honest Bα in the execution Eα. Inorder for the Byzantine set Bα to behave as specified in the execution Eα, the adversary needsto simulate the behavior of (C ∪ Bα) in the execution Eα. To achieve this task, the adversarysimulates round-by-round the behavior of the vertices in (C ∪ Bα) for the execution Eα using{ρu|u ∈ (C ∪ Bα)} as the random inputs for the vertices in (C ∪ Bα). At the beginning of eachround, each simulated player has a history of messages that it got in the simulation of the previousrounds and its simulated local random input. The simulated player sends during the simulationthe same messages that the honest player would send in the original protocol in the same state.The simulated messages that (players in) Bα sends to R are really sent by the players. All othermessages are used only to update the history for the next round. The messages which are addedto the history of each simulated vertex are the real messages that are sent by players in R-groupand the simulated messages that are sent by the vertices in (C ∪ Bα). No messages from Bα areadded to history. The history of messages of each simulated vertex in execution Eα is the same asthe history of the vertex in execution Eα. Therefore, the messages sent by B1 and B2 to membersof R-group in both executions are exactly the same and the members of R-group and in particularthe receiver R receive and send the same messages in both executions. Thus, the receiver R cannotdistinguish whether the set B1 is corrupt and the message transmitted by S is m1 or the set B2 iscorrupt and the message transmitted by S is m2. Now, consider all the pairs of executions wherethe random inputs range over all possible values. In each pair of executions, whenever R acceptsthe correct message in one execution it commits an error in the other. Thus, for any strategy by Rfor choosing whether to receive m1 or m2 there is some α such that when mα is transmitted, thereceiver accepts mα with probability at most 1

2 .

Lemma C.0.2 Following Definition 11, if ∃W such that every weak path p that avoids both B1

and B2 between S and R has a node, say w, that has both its adjacent edges (along p) directedinwards and w ∈W and both B1 and B2 are vertex cut-sets between w and R, then a PRC protocolbetween S and R does not exist. In other words,if every strong path from w to R passes throughboth B1 and B2, then a PRC protocol between S and R does not exist.

Proof: Note 2 gives us a glimpse of the state of the network N following Definition 11.

In Lemma 4.1.2, we proved that when there are no weak paths between S and R that avoid B1

and B2, PRC protocol does not exist. We now show that in spite of the presence of multiple suchweak paths between S and R that avoid B1 and B2, if they have a node of the type w, with bothits edges inwards towards w along the path, PRC protocol does not exist when both B1 and B2

are vertex cut-sets between w and R. We take the case where every player complete knowledge of2We denote 1 = 2 and vice-versa;

15

the topology in spite of which PRC is shown to be impossible.

At least one edge from these weak paths must be from a node in R-group to another node in C(since these are paths outside (B1 ∪B2) and from S to R). We will show that removing that edgehas no effect on the possibility of PRC thereby proving the required result.

Firstly, how can these edges be useful? The answer is that they can be used by players in R-groupto send some secret messages to the players in C such that the adversary, oblivious of these mes-sages, cannot simulate the messages of C without being distinguished by R-group. However, if weare able to show that no such secret information can help PRC from S to R, then we are through.We do the same now.

A node x is said to have no influence on R if the output of R is independent of values sent byx. Otherwise x is said to influence R. Consider an edge (y, x) in N such that y ∈ R-group andx ∈ C. We need to know whether x can influence R by using the data received from y. Supposewe manage to show that it cannot then we are through since what it means is that data sent alongthe edge (y, x) has no effect on R and hence can be ignored. We now proceed to prove the same.

Suppose that the node R can be influenced by x. This (at least) means that there must be a pathx,w1, w2, . . . , wq,R in N such that x transmits some information to w1, then w1 transmits someinformation to w2 that depends on the information it got from x and so on until some informationgets to R.3

Given that every path from x to R passes through some node(s) in Bα followed by some node(s) inBα for some α ∈ {1, 2}, the adversary if it corrupts the αth set in A = {B1, B2}, does the following:let wj be the first vertex in Bα on a path from x to R. The corrupt wj ignores the real messagesthat it gets from the players in C ∪Bα and thus the messages that it sends do not depend on themessage sent by x. Similarly, the messages sent by x when Bα simulates the players in C do notinfluence the messages it sends to R since the path from x to R passes through at least one vertexfrom Bα and no messages are sent by players in Bα during the simulation. Thus even if R mayknow that the correct secret (that was exchanged using the edge (y, x)) was not used, he will notknow which set in A to blame. Thus the simulated messages of x have no influence on the messagesreceived by R and can be ignored. Hence, the impossibility of PRC proved in Lemma 4.1.2 is notaltered by using the edges from R-group to C.

D Sufficiency Proof of Theorem 4.1

D.1 Sufficiency Proof

For Sufficiency, Network N that is not in Critical Combination guarantees the existence of a PRCprotocol from S to R in N . So, we prove by giving a protocol and its proof of correctness.

Note 2 gives us the glimpse of the state of the network N following Definition 11.

3Since the network is synchronous, it may be possible to transmit information without actually sending messagebits. However, even such transmissions are possible only between nodes that can actually exchange some message-bitsas well. Thus, an information-path is necessarily a physical path too.

16

Since there are n players, and t can be corrupted, there are(|P|t

)options in front of the adver-

sary,that is there are exactly(|P|t

)distinct ways of corrupting exactly t players. Let each of the

(|P|t

)distinct subsets of size t be represented as {B1, B2, B3, . . . , B(|P|t )} where Bi ⊂ P and |Bi| = t. First,we show how to design a “PRC” sub-protocol assuming that the adversary is allowed to chooseonly from two of the

(|P|t

)options that originally existed. In other words, we are only concerned

about an adversary that may corrupt the players in the set Bα or the set Bβ, where 1 ≤ α, β ≤(|P|t

)and α 6= β. Let us denote the resulting sub-protocol as Παβ. In the sequel, we show how to use all

the sub-protocols Παβ (there are clearly((|P|t )

2

)of them) to design a grand protocol Π that can be

proved to be the required PRC protocol. In the Definition 11, the two t-sized sets B1 and B2 can beunderstood as the sets of players that an adversary may corrupt in one of the instances of Bα and Bβ.

An honest player is the player not corrupted by the adversary. An honest path is understood asthe path that avoids the sets Bα and Bβ. An honest player in the network in possession of theactual edge-set behaves differently from an honest player which has a doubleton set. When theplayer knows E , all their communication, that is, sending and receiving messages is along the linesof edges in E only. When the player has a doubleton set as its T Ki, it sends messages along both,the edges in actual edge-set E and the other edge-set in its T Ki. It is never sure which of itsmessage is valid, because all communication along the false edges is lost, and the identity of thefalse edges is not with the player. Now, an honest player with a doubleton set as its T Ki acceptsall messages that it receives which it identifies as valid, that is, those belonging to the edges in anyof the two edge-sets in its T Ki. All players corrupted by the adversary, w.l.o.g.,can be assumed toknow T K and the actual edge-set E . This is a modest assumption when dealing with an adversary.An honest player drops all messages from a player if it identifies that it is corrupted by the adversary.

Designing the sub-protocol Παβ: Critical Combination does not occur in network N and this impliesall that all the conditions that cause critical combination are falsified. We see the consequences ofthe same here, and use this to design our sub-protocol.

Neither of Bα or Bβ cut across all strong paths between S and R. Since Bα and Bβ are the setschosen by adversary one of which it can corrupt, there must be at least one honest strong pathfrom S and R that does not pass through either Bα or Bβ in N .

The deletion of both the sets Bα and Bβ from the network N does not cut across all weak pathsbetween S and R. There must exist at least one honest weak path from S to R in N that avoidsboth the sets Bα and Bβ.

We start with this honest weak path, say p. We consider the following two cases in the design ofthe sub-protocol Παβ:

Case (1) :The path p is such that w = S: In this case, the path p contains a player y (which maybe S or R too) such that p is the combination of the strong path from y to S and the strong pathfrom y to R. In other words, y ∈(S-group ∩R-group). We know that R-group has the edge-sets{E0, E1} as its topology knowledge. If S-group∩X 6= ∅, then S would know the actual graph, else,it would have the same topology knowledge as R-group, {E0, E1}. We give the protocol for thecase where both S and R do not have the actual graph N and are in possession of {E0, E1}, one ofwhich is known to be N , as per the Definition 12. The other case is similar and follows the sameapproach. case (i): Notice that y ∈ R-group, so even y has {E0, E1} as its topology knowledge.

17

Each of these edge-sets is such that each has a weak path that does not pass through the two setsBα and Bβ. Let the path along the actual edge-set (w.l.o.g, say E0) be p and along E1 be p′. Inp′, we have a y′ which has a strong path from it to S and R. The state as defined in Note 2 is thesame in both the edge-sets. Note that all players in p and p′ are honest. The protocol that is runon one path p is correspondingly replicated on p′. We give the protocol for p: First, y sends toboth S and R,along its both edge-sets, a message with two parts: one, a set of random keys, two,an array of signatures. Each player appends its signature to the second part of the message as itforwards the message to the next player in the path p. The random keys K1,K2 and K3 (whereKi are elements of a random field F, which in turn is also the message space), along with the listof signatures of the players that the messages have seen, is sent to both S and R along the path p.S, R receive two sets of the same three keys along the actual edge-set, and E1 from y in p. Alongp′, suppose the random keys sent by y′ be K ′1,K

′2 and K ′3 (where K ′i are elements of a random

field F, which in turn is also the message space) . If S, R receive these three keys along both theedge-sets E0 and E1, then they accept them as they cannot distinguish between the two edge-setsas to which is the correct one. S,R end up with two distinct sets of keys - (K ′1,K

′2 and K ′3) and

(K1,K2 and K3). Next,S computes two values: ψ, ψ1; two signatures: χ,χ1; where ψ = (M +K1),χ = (K2(M + K1) + K3) and ψ1 = (M + K ′1), χ1 = (K ′2(M + K ′1) + K ′3), and M is the messagethat needs to be reliably transmitted. S sends two messages in each edge-set E0 and E1

4 to Ralong all the vertex-disjoint strong paths each containing: a value (ψ/ψ1), a signature(χ/χ1), andan array of signatures. Each player appends its signature to the array of signatures as it forwardsthe message to the next player in the path p or correspondingly in p′. Now, R receives two values- two each of ψ′ and ψ′1; two signatures - two each of χ′ and χ′1 along two different paths as aregiven in each of the edge-sets E0 and E1. Notice that, R has knowledge of (K1,K2 and K3) and(K ′1,K

′2 and K ′3). Hence it can easily verify if χ′ ?= K2 ∗ ψ′ + K3 (correspondingly it verifies for

χ′1). R reacts as follows: If the received value ψ′ has a valid signature (χ′ = K2 ∗ψ′+K3), then Routputs (ψ′−K1) (correspondingly it outputs (ψ′1−K ′1) in the other edge-set); furthermore, amongall the received values, at least one of them is guaranteed to be valid (because at least one honeststrong path exists!). The probability that R outputs the same message in both the edge-sets ishigh,namely 1− 1

|F| ,which can be made (1− δ) by suitably choosing F.

Case (2): The path p is such that there are k > 0 players like w (w 6= S ), say w1, . . . , wk along p:We will first consider the case when k = 1. For each of the subsequent cases (k > 1), we repeat theappropriate protocols given below on all wi’s (1 ≤ i ≤ k) and in the sequel succeed in establishingreliable communication between S and R with a high probability.

Since we start with the assumption that conditions on Definition 11 are falsified, note that everystrong path from w to R does not pass through both Bα and Bβ for a w ∈W that is on the honestweak path p from w1 to R. That is, there must exist a strong path Q from w1 to R that does notpass through nodes in either the set Bα or the set Bβ.

Recall that p must contain a node y (which may be R) such that there is strong path fromy to w1 (along p) and there is a strong path from y to R (also along p). In other words,y ∈ (w1 − group ∩R− group). We know that R-group has the edge-sets {E0, E1} as its topologyknowledge. If w1-group ∩ X 6= ∅, then w1 would know the actual graph, else, it would have thesame topology knowledge as R-group, {E0, E1}. The protocol we give below is in two parts. PartI deals with the protocols to for communication between w1 and R for each of the four cases given

4Note that S can verify if it has at least one honest strong path from it to R or not, and distinguish it with E1

18

above. Part II deal with how, from Part I, we move on to ensure reliable communication betweenS and R with a very high probability.

Part I: Protocols for communication between w1 and R: case (i): We give the protocol for thecase where both w1 and R do not have the actual graph N and are in possession of {E0, E1},one of which is known to be N , as per the Definition 12. The other case is similar and followsthe same approach. The protocol for w1, y,R is similar to the case (i) in Case 1 above till each ofw1, R end up with two distinct sets of keys - (K ′1,K

′2 and K ′3) and (K1,K2 and K3) just as S, R do.

Next, w1 computes two values: ψ, ψ1; two signatures: χ,χ1; where ψ = (Mw1 + K1), χ =(K2(Mw1 + K1) + K3) and ψ1 = (Mw1 + K ′1), χ1 = (K ′2(Mw1 + K ′1) + K ′3), and Mw1 is themessage from w1 that is to be reliably transmitted to R. Let the path along the E0 be Q andalong E1 be Q′. w1 sends two messages in each edge-set (E0 and E1) to R along Q and Q′ eachcontaining: a value (ψ/ψ1), a signature(χ/χ1), and an array of signatures. Each player appendsits signature to the array of signatures as it forwards the message to the next player in the pathQ or correspondingly in Q′. Now, R receives two values - two each of ψ′ and ψ′1; two signatures- two each of χ′ and χ′1 along two different paths as are given in each of the edge-sets E0 andE1. R verifies using both the set of keys in its possession. Using these, it can easily verify ifχ′

?= K2 ∗ ψ′ + K3. It verifies on all combinations of ψ′,ψ′1,χ′ and χ′1. R reacts as follows: If thereceived value ψ′ has a valid signature on at least one of the combination (say χ′ = K2 ∗ ψ′ +K3),then R outputs (ψ′ −K1); else (that is if either the signature is invalid(χ′ 6= K2 ∗ ψ′ +K3) or theoriginal message is not received), R knows the identity (among the two possibilities of α or β) ofthe set that is the corrupt set.

Since we start with the assumption that conditions on Definition 11 are falsified, we note that ∀nodes in (W ∪ (Z ∩X)), for i ∈ {0, 1}, B1 is not a vertex cut-set to R in the edge-set Ei ∈ T KG,and B2 is not a vertex cut-set to R in the edge-set Ei ∈ T KG, the path Q completely avoids theplayers from one of these sets say Bj , j ∈ {1, 2}; This clearly means that a faulty path Q (since awrong message was delivered) entails that set Bj is corrupt (where j = {1, 2} − {j}).

In Case (2) and its sub-cases above, if the set Bj , j ∈ {1, 2}, is not corrupt (which means that theother set may be corrupt), then R receives the correct message with certainty while the adversaryhas no information about the message.On the other hand, if the set Bj is corrupt, then though theadversary still has no information about the transmitted message, he has complete control over R’soutput. R’s output could therefore either be a valid message or a null message with the knowledgethat (any subset of) Bj is corrupt. But, if R receives a valid message, it is the correct messagewith a very high probability.

Protocols for the four cases in Part I aim at one of the following: (a) Simulating a direct edge (inother sense, having a strong path that passes only through honest players) between w1 and R sothat message from w1 can be successfully communicated to R (or) (b) Simulation of the direct edgefails, and R identifies which of the two sets in Bα, Bβ is corrupt.

Part II: If a protocol in Part I succeeds in (a) above, then depending on whether w1 (and therebyall such wi’s) belongs to S-group or vice-versa, that is, w1 ∈ S-group or S ∈ w1-group we have twocases. Note that, there will exist wi’s where neither wi ∈ S-group nor S ∈ wi-group. It is preciselyfor this reason that we repeat the appropriate protocols given below on all wi’s (1 ≤ i ≤ k) so as

19

to arrive at a case where one of these two cases occurs.

If w1 ∈ S-group, then, there exists a direct path from w1 to S. From the protocol in Part I, there isa direct path from w1 to R. That is, w1 ∈ R-group, which implies that w1 ∈ (S-group ∩ R-group).Notice that w1 is similar to the player y in path p in Case (1) of the sub-protocol Παβ. So, in thiscase, we follow the protocol in Case (1) to establish reliable communication between S and R. IfS ∈ w1-group, then S sends the message that it wants to reliably communicate to R through thepath between w1 and R. Since the path is secure, and passes only through honest players, reliablecommunication takes place.

If a protocol in Part I succeeds in (b) above, then we do the following: Since there exists at leastone honest strong path from S to R, it must avoid Bj . S sends the message along its both edge-setswhich has two parts: the message M and an array of player indices. Each player appends its indexto the array of player indices as it forwards the message to the next player along all these pathsto R. The knowledge that Bj is corrupt is sufficient for R to recover the correct message passingthrough the honest path.

Note that this gives us the protocol for our uniform topology knowledge built with the help ofT KGs. To give the protocol for a given 2-sized T K, we use the means shown in the If part proofof the Theorem B.1. This completes our exercise of constructing the sub-protocol Παβ that isguaranteed to work correctly only if one of Bα or Bβ is chosen by the adversary.

Note that R can simulate the sub-protocol Παβγ which assumes that one among the three sets Bαor Bβ or Bγ is chosen by the adversary. The simulation is done as follows: R takes the majorityamong the outputs of the three protocols Παβ, Πβγ and Παγ . A majority is bound to exist sinceany set chosen by the adversary is tolerated in two of the three protocols. Next, R can simulatethe sub-protocol which behaves like a PRC protocol as long as any one among a collection of foursets is chosen by the adversary. Continuing further, R will be able to simulate the protocol thatbehaves correctly if one among the collection of

(nt

)sets is chosen by the adversary. This protocol

by definition is the PRC protocol from S to R! We conclude the sufficiency part of the proof.

E Corollaries

S

W

R

x

B2

B1

n1

n2

n3

n4

x1

l

M

k

k

Figure 3: Network N

S

W

R

x

B2

B1

n1

n2

n3

n4

x1

l

M

k

k

Figure 4: Network N ′

Corollary E.0.1 There exist networks over which, a PRC protocol between a Sender S and theReceiver R in the network tolerating a t-adversary exists, if every player in the network has complete

20

knowledge of the topology but does not exist if in the network, each player does not have knowledgeof up to dmin-levels (hops) (both for in-edges as well as out-edges) where dmin = bn−2t

3 c+ 1, wheren is the total number of players in the network.

Proof: We give a proof by construction. The Figure 3 represents the state of a network N similarto what is given in Note 2. The network N is constructed such that it satisfies the conditions forthe possibility of PRC tolerating a t-adversary when each player has complete knowledge of thetopology. Let there be n nodes in the network. The number of nodes in the path between W andM is l. Notice that the sets B1 and B2 cut across all strong paths between S and R. There arek nodes in the path connecting M to a node in B1 and k nodes in a path from M to B2 which isdisconnected at node X1. Sets B1 and B2 are sets of t nodes each, of which the adversary corruptson of them. Both B1 and B2 are such that they contain nodes of the kind n1, n3 that form partof disjoint weak paths from S to R. They also contains nodes of the kind n2, n4 that form part ofdisjoint strong paths from S to R, totalling t+ 1. There is a weak path between S and R passingthrough W . Notice that, in the network, R knows W , n1, n2, n3, n4 with knowledge of up to asingle hop. S knows W ,n1,n2,n3,n4 with a knowledge of up to a single hop. That is there are nonodes in between the paths from S and R to these nodes. Clearly, for this network, PRC protocolexists in the presence of a complete topology knowledge, because the underlying undirected graphis (2t + 1)-S,R connected and it has (t + 1)-strong paths for any number of nodes l in the pathbetween W and M .

Let l >= k − 1 for the network. Clearly, for this network if we count the number of nodes andequate it to n, we get: n = 4 + 2k + l + 2t, which, when you take for the minimum value of l,n = 2t+ 3k + 3.

In such a network N , notice that the adversary can thwart the possibility of PRC in theabsence of knowledge of dmin levels, because, for knowledge of up to dmin − 1 hops, it can ensureindistinguishable views for the receiver over two executions, Ea and Eb by constructing anothernetwork similar to that of N - N ′ (see Figure 4). The adversarial strategy is exactly as describedin the proof of Lemma 4.1.4, and it is as good as saying that T KR contains both N and N ′. In theconstruction, it is only when each player has knowledge of up to dmin levels that R distinguishesbetween N and N ′.

Corollary E.0.2 For any network, existence of a PRC protocol between S and R in the networktolerating a t-adversary when each player has complete knowledge of the topology implies existenceof a PRC protocol between S and R in the network tolerating a t-adversary when each playerhas knowledge of up to dmin-levels (hops) (both for in-edges as well as out-edges) where dmin =bn−2t

3 c+ 1, where n is the total number of players in the network.

Proof: We give an outline of how the proof proceeds. We first show that for the network constructedin the proof of Corollary 4.1.1, for the knowledge of up to dmin-levels, a protocol exists for thesolvability of PRC. We have already noted that n = 2t+ 3k + 3, in the limiting case for l. Noticethat one needs to have knowledge d = k + 2 levels to know whether node X1 is connected to Mor X is connected to M . Further, R would require l + 2 hops along R, W , . . .M path to reachM . Another hop is needed to know if M has an out-edge to X or X1. When R knows d levels,it knows knowledge of both in-neighbours and out-neighbours up to level d, in the case when theminimum distance required to know as to which edge M is connected to, l + 3 = k + 2 giving usthe limiting case for l. This gives us dmin = bn−2t

3 c+ 1.We now show that for any network over which PRC protocol for complete topology knowledge

exists, knowledge of up to dmin-levels is sufficient. We give a proof by contradiction. Suppose

21

dmin-levels is not sufficient. Then the minimum D for which it would be sufficient would beD = dmin + 1.

Notice that the condition given in Lemma 4.1.4 must be satisfied to experience the effect oftopology knowledge on the possibility of PRC. The value of dmin is therefore dependent on the path-length of the paths between W and R in which there exists a node M where the paths diverge, oneto B1 in the first edge-set and the other to B2 in the second edge-set in the topology knowledge ofR. Knowledge of up to that distance where the receiver R knows what this player M (which couldbe W also) is connected to, is what constitutes our quest.

The underlying undirected graph of network N is (2t + 1)-S,R connected. In the directedgraph, there are (t+ 1)-S,R vertex disjoint strong paths. If any of the vertex-disjoint strong pathsis outside of B1 and B2, then S can reliably communicate to R using that honest strong path.Therefore, all strong paths must pass through either B1 or B2. The construction has a singledirected edge from the sender S to a node in B1 or B2 for all the strong paths. Both B1 and B2

span across 2t weak paths between S and R, leaving one honest weak path outside of both B1 andB2, as is required by the characterization. Such a weak path would have a blocked node w with astrong path to R such that a node M where the paths diverge exists.

Supposing knowledge of up to dmin-levels were not sufficient, we will count the number of nodespresent in the network. If in a path between two nodes P and Q , there are k nodes, then thenumber of hops needed to reach Q from P is k + 1. The path from R, W , . . .M must have dmin

nodes, because only then, under our assumption that knowledge of up to D-levels is sufficient wouldhold because that would reveal whether M is connected to X or X1 for knowledge of up to distanceD. Notice that these dmin nodes include both M and W . Let there be l honest nodes in the weakpath from a node in B1 or B2 through which R would know as to whether X is connected to M orX1 is connected to M . The receiver would see up to a distance k in both edge-sets in its possessionto reach B1 and B2. Further, we know that there are k nodes from M to B1 and B2. The numberof nodes to be covered to reach X or X1 through B1 and B2 respectively from R which includes thenodes k and l should be dmin because D would make sure that R knows whether X is connectedto M or X1 is connected to M . Now, if the nodes are counted along each of these paths, noticethat along the paths through B1 and B2 to X and X1, we include one node each from B1 and B2

in our calculations. So, the total number of nodes, which is n in the network, turns out to be, onassuming knowledge of up D levels 3 × dmin + 2t − 2 + 2. We have counted dmin nodes thrice inthree paths, we counted two nodes, one each from B1 and B2, which we subtract, when we add the2t nodes of the sets B1 and B2. We know the value of dmin, substituting which we get, n = n+ 3,which is a contradiction. Therefore, our assumption that knowledge of up to D levels is sufficientis wrong.

22